We are planning to setup a multi-tenant azure web api which will be invoke by a client app which is registered as converged app with MSA but now in Azure AD. The client app owner dont have Azure AD on thier side. And the client belongs to different tenant.
Can someone please explain how the client will invoke our azure ad web api as client isn't registered as azure webapp.
We have setup .net core azure webapp
You need to consent to the web API from your client app tenant first. To consent to the web API, you could follow this:
https://login.microsoftonline.com/client-app-tenant/oauth2/authorize?client_id=api-client-id&redirect_uri=api-reply-url&response_type=code&prompt=admin_consent
By this, a service principal will be created in your app tenant for the API, allowing you to assign app permissions to the web API in your app tenant.
Related
I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service
I have a app hosted in Azure. Currently when a user is authenticated in Azure AD but does not have access to the application, a generic message appears suggesting the user should request access from an administrator.
Now how would I redirect the user to a specific URL when they get this page from Azure AD ? I see no way to configure this in Azure.
EDIT
A little more technical details :
My App is hosted in a serverless Azure App Service. It is an Angular application using msal.js to authenticate.
The App is manually configured in Azure AD using Application Registration tab.
Does anyone know if it's possible to create a App Registration in one tenant and then use that registration in another tenant within App Services?
Regards, Oskar
In general yes it is. If you create an app registration, you might define the URL of the App Service in its reply URLs.
Then you can define on the App Service that it should use authentication with a given AAD tenant.
After all you can use AAD authentication anywhere, on an app hosted in AWS, the Google cloud or an on-prem server.
Of course the Authentication/Authorization feature of App Service is only available there, but that doesn't stop you from configuring authentication within your app.
Managed Identity is a feature that only works within the tenant connected to the subscription though.
I cloned the node web api from https://azure.microsoft.com/en-us/resources/samples/active-directory-javascript-nodejs-webapi-v2/
An app was registered in the v2 app registration portal, with a webapi platform added and a web app with implicit flow set
When i browse to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=5bab650d-e96c-4f30-a7e2-e6bbab2e7ab1&response_type=code&redirect_uri=http://localhost:5000/hello&response_mode=query&scope=api%3A%2F%2F5bab650d-e96c-4f30-a7e2-e6bbab2e7ab1%2Faccess_as_user%20openid%20offline_access
the browser is redirected to
localhost:5000/hello?error=invalid_client&error_description=AADSTS65005%3a+The+application+%27hand2%27+asked+for+scope+%27openid%27+that+doesn%27t+exist+on+the+resource.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+4b3bdc12-9c1c-448b-abbb-704e9af80d00%0d%0aCorrelation+ID%3a+27afcaf6-cdac-428a-8c6b-7087ff8b34ef%0d%0aTimestamp%3a+2017-10-11+00%3a41%3a40Z
Any idea ?
What could be the ways to integrate a web application ( on-prem) to another web application (Azure) using azure AD authentication( happening in the background), with out the user being prompted for credentials.
It depends on how your on-premise application authenticated. Based on the description, you want to implement the single sign-on for the on-premise application with the application which protected by Azure AD.
In this scenario, you can deploy ADFS on-premise and make the on-premise web application authenticate by the ADFS. Then we need to enable the trust from the ADFS to Azure AD. After build the federated trust, when the users try to access the web application which protect by Azure AD will redirect to the ADFS, and if the users already authenticate the on-premise application they will not required to enter their credential again. Here is a figure to demonstrate this progress and you can refer more detail about it from this link.
And now, we can use Azure AD connect to integrate your on-premises directories with Azure Active Directory easily. You can refer the video on this link about different settings for this tool.